So you remember when your CIO told you that you’re buying Microsoft 365 E5 and you realized your life is over? It can be very overwhelming when you realize that you now need to switch all of your stuff over to Intune. As I wrote recently, you may or may not be able to make the switch. One product that comes with E5 that I think is compelling is Microsoft Defender ATP.
Adopting Microsoft Defender ATP doesn’t mean you need to flip over to Intune tomorrow, but it can be a nice addition to your existing UEM environment. I’m going to highlight some of the stuff that I love, which can enhance your UEM experience. I’m going to briefly discuss the onboarding process and some of the great value you can get inside of their console. This will cover both a Windows and MacOS deployment.
Provisioning Microsoft Defender ATP
It’s pretty simple to provision the Windows version of Defender. I prefer to use the batch file deployment. It’s pretty basic to deploy the application, but the bigger challenge will be the GPO work afterwards. You can find the batch file here.
The other part as mentioned above is configuring the GPO to ensure Defender is actually working and doing its job. Microsoft wrote a really nice article that gives you exactly what you need. Simply, you navigate to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus and configure the following GPO items.
|Microsoft Defender Antivirus||Allow antimalware service to startup with normal priority||Enabled|
|Microsoft Defender Antivirus||Allow antimalware service to remain running always||Enabled|
|Microsoft Defender Antivirus||Configure detection for potentially unwanted applications||Enabled|
|MAPS||Join Microsoft MAPS||Enabled|
|Real-time Protection||Turn on behavior monitoring||Enabled|
|Real-time Protection||Scan all downloaded files and attachments||Enabled|
|Real-time Protection||Monitor file and program activity on your computer||Enabled|
|Real-time Protection||Turn on raw volume write notifications||Enabled|
|Real-time Protection||Turn on process scanning whenever real-time protection is enabled||Enabled|
|Real-time Protection||Define the maximum size of downloaded files and attachments to be scanned||Enabled/Specify Size|
|Real-time Protection||Configure monitoring for incoming and outgoing file and program activity||Enabled/Bi-Directional|
|Scan||Turn on heuristics||Enabled|
|Windows Defender Exploit Guard||Network Protection > Prevent users and apps from accessing dangerous websites||Enabled/Block|
|Windows Defender Exploit Guard||Controlled Folder Access > Configure Controlled folder access||Enabled/Audit Mode|
|Windows Defender Exploit Guard||Attack Surface Reduction > Configure Attack Surface Reduction Rules||Copy the rules from the Microsoft KB|
Of course, this is entirely up to you. These are the settings that I chose and I felt made sense. I definitely suggest looking at every folder for the Defender GPOs because there is a ton.
After setup, don’t forget to run the detection test to make sure things work:
powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-WDATP-test\\invoice.exe');Start-Process 'C:\\test-WDATP-test\\invoice.exe'
Mac deployment is much more difficult. I’m going to use my favorite MDM (Workspace ONE) as the example of building this out. You have a ton of moving parts so its vital you are on your game. You will be dealing with several scripts to make it all happen.
We won’t cover the app deployment itself as you will just do a typical PKG deployment, but it’s good to point out the uninstall script you want to build into it. A simple Bash script will get it done.
#!/bin/bash echo "Is WDAV installed?" ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null echo "Uninstalling WDAV..." rm -rf '/Applications/Microsoft Defender ATP.app' echo "Is WDAV still installed?" ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null echo "Done!"
As far as deployment goes, let’s shift our focus to the various MDM profiles that will make it happen. First, we have some custom XML profiles to build:
We also need to build the Privacy and Kernel profiles. This is relatively basic if you are familiar with them. The Kernel Extension or KEXT profile is simple. We are just whitelisting the Team ID:
The Privacy Preferences lends better to text honestly. You just set 3 fields.
Code Requirement: “com.microsoft.wdav” and anchor apple generic and certificate 1[field.1.2.840.113618.104.22.168.6] /* exists / and certificate leaf[field.1.2.840.113622.214.171.124.13] / exists */ and certificate leaf[subject.OU] = UBF8T346G
System Policy all Files: Allow
These profiles albeit long and arduous eliminate many of the pain points of deploying Defender. The other item that you want to cover is the scheduling for MacOS. The steps are pretty simple. You want to copy the scheduler plist and deploy it to your Macs in the /Library/LaunchDaemons folder along with this simple script.
launchctl load /Library/LaunchDaemons/com.microsoft.wdav.schedquickscan.plist launchctl start /Library/LaunchDaemons/com.microsoft.wdav.schedquickscan.plist
Once done, you can test your implementation with a simple CURL command which will surface in the console if successful.
curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt
The Brilliance of the Microsoft Defender Security Center
Yeah I bet I know what you’re thinking. “Another console I have to log onto?” Yeah it is. I will admit I’m tired of the 82 admin consoles in Office 365, but this is likely one of my favorites. You can access it here. I’m going to focus on a few key areas that are particularly useful.
Threat Analytics is a fun little thing, which is similar to some of the things VMware is doing with Workspace ONE Intelligence. It’s a neat little dashboard that displays the threats to your organization and any devices that are impacted by it.
As with every portal ever, you have a nice little device list. You will see the exposure level of your devices. It gives you some nice information, but as dig deeper things get more exciting.
Interacting with Macs with Microsoft Defender ATP
MacOS has substantial limitations compared to Windows at this point. Microsoft is working on adding new features in the future, but it’s still very much a 1.0 product at this juncture. We still have plenty to be excited about.
You will see that the console captures specific information. You will see the domain information, risk level, OS version, networking information, and some nice EDR data.
Speaking of the EDR data, the alerts tab gives you deeper information into any alerts on your machines. These alerts link smartly to the incident dashboard along with the ability to assign these “incidents” to team members. The neat thing about Defender is how you can create “groups” of devices and deliver targeted notifications e.g. only deliver MacOS incidents to your Mac Engineering team.
My favorite aspect to the Mac EDR implementation is the Timeline. A very cool example of the awesomeness of the timeline is below. They show you processed spinning up, identified risks, and the actions taken.
Interacting with PCs with Microsoft Defender ATP
Like every other product at Microsoft, Windows is where Defender shines. Just a glimpse at the device details tells that story.
We have a bunch of very exciting things to check out, but I think we should start with security recommendations. It’s amazing just how good it actually is.
By clicking on security recommendations, it will show you a ton of cool stuff. You can see all of the recommended actions, whether its updating apps or adopting certain features via GPO.
You can see that they want me to update my Geforce software along with telling me what CVEs are logged for an issue.
One of the things that it tends to catch is your Office being out-of-date. From real-world experience, I can tell you that is a huge deal. In Office 365, you can often run into issues with SCCM where your Office clients are a mess. This is a huge help.
When we look at a security configuration example, it’s easy to address. As you can see below, I’m being told that I missed a setting in my GPO setup for Defender. They provide some nice blue hyperlinked text that shows me what GPO setting I need to make things secure.
Another cool area is the software inventory. You can get a view of the software on the PC, including the vendor, software version, and any open weaknesses. It’s just powerful information that you likely do not get with your MDM today.
Going back to the software and vulnerability story, you also have an aggregated tab of vulnerabilities for your viewing pleasure. One could argue that this is repetitious, but I think it’s useful.
Available PC Interactions with Microsoft Defender ATP
You have a few ways that you can interface with PCs. One of those is isolation which let’s you take the device off the network but still communicate with ATP. This quarantining feature is definitely a must have in any EDR. Microsoft deserves extra props for the ability to let Outlook and Teams still work during this mode. Don’t forget to check the box!
Another option is restricting app execution. This only allows Microsoft-signed Apps to run. It’s another potential option from isolation to be aware of, but I guess it depends on the use case. Most times, I’d choose isolation personally.
They also have standard features like running antivirus scans and collecting a log package they call “Collect Investigation Package” which are both helpful. If you’re interested in what is inside that package, check out their article.
Live Response Session
The feature that really sold me on Defender ATP is the Live Response Session (LRS). For years, we have been using SysInternals to perform remote commands on PCs with varying levels of success. I truly believe that Live Response Session could be a game changer for many of us.
Let’s start by defining the available commands.
- Analyze: Analyzes a file or process
- Connections: Lists the running connections
- Dir: Lists Files/Sub-Folders in your current location
- Download: Downloads a file in the background
- Drivers: Shows the drivers on the PC
- FileInfo: Displays File Information
- FindFile: Finds a File
- GetFile: Downloads a file from a machine
- Library: Lists the files in the library
- Processes: Shows/Gets Processes
- PutFile: Uploads a file from the library
- Registry: Shows Info about a Registry Entry
- Remediate: Remediates a bad actor
- Run (My Favorite): Executes a Powershell script from the library
- Scheduled Task: Shows Scheduled Tasks
- Trace: Sets logging to Debug
- Undo: Restores a Remediated Registry Entry, File, or Scheduled Task
So the key is the library. The idea is you upload scripts to the library or copy files from the library to the PC. It’s extremely powerful. Let’s take one of my favorite Powershell scripts here. That script uses this code:
Install-PackageProvider -Name NuGet -MinimumVersion 126.96.36.199 -Force Install-Module -Name PSWindowsUpdate -RequiredVersion 188.8.131.52 -Force Import-Module PSWindowsUpdate -Force Get-WUInstall -AcceptAll -Install -AutoReboot Restart-Computer -Force
You could use LRS to install the Windows Update module and run Windows Update remotely on a PC that is having issues patching or potentially to deploy a new version of Office. This is incredibly powerful.
I also like leveraging it to download files, which you do with a series of commands as seen below. The interesting thing to note is that you have to run the fileinfo command first before you can remotely download the file from your user.
I think it’s important to note the emphasis on doing proper role-based access control with Defender ATP. You want to make sure the RIGHT people have access and you don’t create a bigger incident when the wrong people start being cute and downloading files they wouldn’t normally have access to.
The last item to bring up are automated investigations which are pretty cool. The basic idea is when an alert is triggered the resulting incident may create a security playbook, which creates an automated investigation. Alternatively, one of your admins could manually start an investigation.
A few examples of events that cause a security playbook to occur are:
- User-reported phishing message
- URL click verdict change
- Malware detected post-delivery
- Phish detected post-delivery
The beauty of this is that it will aggregate all users that are impacted by the event and add them to the investigation. The playbook provides remediation a root investigation, steps taken to correlate and determine related threats, and recommended actions. Overall, it’s a very interesting feature that many teams will be excited about.
Microsoft Defender ATP Integrations
Something that I give Microsoft a ton of credit on is they are being more open about integrations. Without going too crazy, they are giving you the ability to integrate your threat intelligence, SIEM, MTD, and security providers directly into ATP for a single pane of glass.
Yes that does mean you need Lookout to provide an ATP-esque approach to mobile devices. I’m also very excited that they have an API explorer for those who aren’t particularly strong with Postman or whatever. Yes I know, it looks just like Postman, but easy isn’t a bad thing people!
My Final Thoughts on Microsoft Defender ATP
I could probably go even deeper and talk about some of the rules and customizations, but I think this goes deep enough. I have to say that I am pleasantly surprised by this product. EDR is a bit of a mess with a hodgepodge of vendors. In my opinion, Microsoft Defender is a nice complementary piece, but it’s not as solid as other EDRs in the space. It’s VERY close, but there are some nice analytics and bells/whistles that I have seen with the competitors.
Defender ATP accentuates the huge value you get with E5 or even if you decide to just buy Windows 10 Enterprise E5 licenses like I have. In my opinion, Defender could be the highest value EDR when it comes down to it. The product is filled with hidden gems. For companies that are smaller and aren’t true experts, it gives you a nice roadmap for building your GPOs by saying “you are missing some stuff buddy.”
Overall, it may not be as good as Crowdstrike or Carbon Black, but it can save you a ton of headaches and integrates well across the Microsoft portfolio with products like PowerBI, Microsoft Flows, Azure, and more. I strongly believe everyone should try it out, because I’m truly glad that I did.